[keycloak-dev] no empty password in UserFederationProvider

Michael Gerber gerbermichi at me.com
Mon Nov 23 08:33:26 EST 2015 

I think it’s the responsibility of the UserFederationProvider to decide if a password is valid or not. Therefore, even empty passwords have to be send to it.


> On 23.11.2015, at 09:04, Stian Thorgersen <sthorger at redhat.com> wrote:
> 
> Question: a user passing an empty password is that really a brute force attempt? Is it not more likely that a user has forgotten to enter the password? I'm asking because I'm not convinced forgetting to enter a value in the password field should count as a login attempt.
> 
> On 23 November 2015 at 09:02, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> Sure, that would be fine. But again, it's important that with default
> settings, LDAPOperationManager.authenticate won't automatically
> authenticate AD users with empty password (which may happen when
> anonymous bind is enabled on AD side).
> 
> Marek
> 
> On 20/11/15 18:22, Michael Gerber wrote:
> > We’ve got a custom UserFederationProvider, which authenticate users against an AD or DB. Therefore, we need to know if a user entered an empty password.
> > I will create a PR and jira ticket for that, ok?
> >
> >> On 20.11.2015, at 17:50, Marek Posolda <mposolda at redhat.com <mailto:mposolda at redhat.com>> wrote:
> >>
> >> That will be the easiest path to use our BruteForceProtector.
> >>
> >> However AD also has some "BruteForceProtector" of it's own, which disables user in AD when he reach some count of invalid attempts. And I guess Michael wants to use that one and disable user in AD as well.
> >>
> >> Marek
> >>
> >> On 20/11/15 17:40, Bill Burke wrote:
> >>> You can I guess, but why does it matter?  invalidPassword hits the brute
> >>> force detector if it is turned on.
> >>>
> >>> On 11/20/2015 10:16 AM, Michael Gerber wrote:
> >>>> AbstractUsernameFormAuthenticator.validatePassword
> >>>>
> >>>> public boolean validatePassword(AuthenticationFlowContext context, UserModel user, MultivaluedMap<String, String> inputData) {
> >>>>       List<UserCredentialModel> credentials =new LinkedList<>();
> >>>> String password = inputData.getFirst(CredentialRepresentation.PASSWORD);
> >>>> if (password ==null || password.isEmpty()) {
> >>>>           invalidPassword(context, user);
> >>>> return false;
> >>>> }
> >>>>       credentials.add(UserCredentialModel.password(password));
> >>>> boolean valid = context.getSession().users().validCredentials(context.getRealm(), user, credentials);
> >>>> if (!valid) {
> >>>>           invalidPassword(context, user);
> >>>> return false;
> >>>> }
> >>>>       return true;
> >>>> }
> >>>>
> >>>> I think we can remove the first if (password == null || password.isEmpty())
> >>>>
> >>>> Am 20. November 2015 um 16:11 schrieb Bill Burke <bburke at redhat.com <mailto:bburke at redhat.com>>:
> >>>>
> >>>>> Point me to the code?
> >>>>>
> >>>>> On 11/20/2015 9:04 AM, Michael Gerber wrote:
> >>>>>> Hi All,
> >>>>>>
> >>>>>> keycloak does not pass an empty password to the validCredentials method
> >>>>>> in the UserFederationProvider class.
> >>>>>> Is there a reason for that? I would like to authenticate against an AD
> >>>>>> even if the password is empty, otherwise the user won't be blocked after
> >>>>>> x attempts.
> >>>>>>
> >>>>>> Michael
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> keycloak-dev mailing list
> >>>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org> <mailto:keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>>
> >>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> >>>>>>
> >>>>> --
> >>>>> Bill Burke
> >>>>> JBoss, a division of Red Hat
> >>>>> http://bill.burkecentral.com <http://bill.burkecentral.com/>
> >>>>> _______________________________________________
> >>>>> keycloak-dev mailing list
> >>>>> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org> <mailto:keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>>
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20151123/1811f644/attachment.html

More information about the keycloak-dev mailing list